During my penetration testing, I found a local file inclusion vulnerability. In fact this vulnerability existed in mailwatch <= 1.0.4, and its exploit existed in Exploit-DB.

I tried to exploit the operating system (CentOS 6) via this vulnerability depending on the file /proc/self/environ, but I failed because when it returns blank page when I am trying to see the content of the /proc/self/environ file.

I think we're going to need some more details, here. A CVE ID and/or link to the exploit you're trying to run might help. Screenshots and/or a CLI log could be useful as well.
–
IsziSep 10 '12 at 19:24

Yep. Also, is this a black-box or white-box test?
–
PolynomialSep 10 '12 at 19:35

it is black-box test, as u know mailwatch is open source, so if i need to see the content of some php pages it is ok. one more thing to add, the server i am trying to hack is mail server and using Horde 3.1, i tried to find the sensitive file in horde but i am still searching for their default locations ...
–
user1028Sep 10 '12 at 19:47

now I do know how to exploit the operating System via LFI. the idea is to inject php code inside one of logs files, but i am still facing a problem in locating the log files.
–
user1028Sep 11 '12 at 12:09

2 Answers
2

It can be exploited by log files injection. it might be possible to inject Apache log files, but these files needs root access to open, so it will not be possible to open them via LFI. to solve this problem, we inject temporary Apache log files, which are existed under this path:

So without SELinux, using Virtualmin on Centos, it is possible to access logfiles from PHP no issues, as they run on the same uid. However with SELinux it is not possible because it prevents reading anything from /var/log using process invoked from the network. Also mod_security doesnt allow to do it either (to pass PHP code).

Just a quick comment - it would have helped me to understand if the last paragraph were at the top - there are about two pages of dumps before I understood what I was looking at.
–
Mark C. WallaceOct 24 '12 at 18:48